As far as I'm aware, internet connection sharing went away with Windows 9x. So as far as I know, no. And most likely, if they had it, it'd be restricted only to other machines running Windows 10 knowing how Microsoft tends to function (I worked there for 7 years doing I.T. Support), they probably assume anything that old is long gone by now and no longer a threat. I think a lot of the big tech industries fearmongering about old computers and old oses is decently founded, but it's mostly focused on people who use XP, 7, or their 15 year old Mac running an outdated version of Mac OS refusing to upgrade/update and/or the unspoken bottom line - give the companies involved more money. Those machines are a tremendous risk

Generally my rule of thumb is it gets more risky to connect these devices as the operating systems become newer but continue to be outdated. DOS, Windows For Workgroups, and to a lesser extent, Windows 9x are pretty safe in 2024, and in Windows case, kind of useless because either basic browsing is impossible (TLS 1.2 and disabled outdated protocols), or it's possible, but incredibly slow (ie Firefox on my 486 running Windows 2000 or RetroZilla on Windows 95 on a 486). I'm kind of over using Windows for retrocomputing TBH because I'm more nostalgic for older stuff (486 and older mostly). But you'd be amazed how much hate I've had in the past by armchair infosec dweebs who think that a connected DOS system is a security risk. You're more at risk of winning the lottery or getting an autographed copy of QDOS from Tim Patterson than get cyberattacked through an old DOS system IMHO. Shoot, on my Tandy 1000A it'd probably hang the system if someone tried.

creepingnet wrote on 2024-01-30, 02:57:

But you'd be amazed how much hate I've had in the past by armchair infosec dweebs who think that a connected DOS system is a security risk.

There might be more of a risk if you're putting a retro system directly on the IPv4 Internet without a NAT, e.g. on a university network or something (not sure who other than universities would have plentiful IPv4 IPs and a non-NAT setup in 2024). Not sure what ports would be opened by default on, say, a Win2000 system... and how exploitable that might be.

That being said, I would agree with you and presume the bad guys are being pragmatic. Why focus on Windows 9x exploits when the Internet is full of Windows 7 machines running unpatched web browsers?

Hook your old PCs up to a modern router and forget about them. Just don't open any ports to them, but remember to keep your other machines secure too - they are susceptible to a wider range of attacks since everyone is targeting modern software.

I have my old PCs hooked up to my router and have for many years now. Never had any problems and I don't care if I did anyway. The only time I've ever been hacked is when I left a port open to my modern Linux computer to VNC with no password, like an idiot. My one lapse of judgement. I was only testing it for half a day, but that was as long as they needed. They almost got my Paypal before I turned off the machine.

Lesson here is: you will get "hacked" or get a virus if you are stupid. Just don't be stupid.

creepingnet wrote on 2024-01-30, 02:57:

As far as I'm aware, internet connection sharing went away with Windows 9x.

It's in Windows 7 still, I've used it, don't know about 8 or 10 though.

edit: damned if I can find where to get into it though, think you have to plug a cable in, crossover ethernet, serial null modem or laplink parallel, then it asks or you can right click properties for share this computer's internet connection.

I wonder if am open source internet connection sharing app could be made to allow routing through a "safe," modern OS from a retro box. Maybe it could be similar to how LAN games work, but with full web browsing. Sort of like a hybrid between a LAN connection and using the Win10 box as a "VPN" of sorts. The browser on the Windows XP would click a link, it would then go to the Windows 10 box which would handle it safely, and then send the data to the Windows XP box. I could be wrong, though I believe something like that could be possible.

I miss the old days. I miss using Windows 9x and XP machines for my daily computing and internet surfing. I honestly despise Windows 10 (and will be switching to Linux after this machine,) and I can't stand what has happened to the internet and the world, today. Life was simple and better, back then.

keenmaster486 wrote on 2024-01-30, 03:17:

Hook your old PCs up to a modern router and forget about them. Just don't open any ports to them, but remember to keep your other machines secure too - they are susceptible to a wider range of attacks since everyone is targeting modern software.

I have my old PCs hooked up to my router and have for many years now. Never had any problems and I don't care if I did anyway. The only time I've ever been hacked is when I left a port open to my modern Linux computer to VNC with no password, like an idiot. My one lapse of judgement. I was only testing it for half a day, but that was as long as they needed. They almost got my Paypal before I turned off the machine.

Lesson here is: you will get "hacked" or get a virus if you are stupid. Just don't be stupid.

I remember reading your posts in a past thread about retro box/internet safety. I think you or perhaps someone else in that thread were posting from DOS using Arachne. It reminded me of playing with Arachne in the mid-2000s and remembering how well it worked and how neat it was.

I may connect my retro boxes, using precautions. I won't be logging into anything important with them. There are old sites which I used to visit way back which still exist and still look like they did, back then. I have a vast library of games, and I want to set up the retro boxes so I can jump on and play them without hassle. It would be cool to be able to download a patch or whatever else I may need while using the retro box, rather than jump between machines with an SD card. Or maybe be using the XP box and have a question or want to make a post on Vogons; a post relevant to what I am doing on the XP box. If I ever make a website, I am going to do all that I can to make it look like they did back in the day and hopefully allow old PCs to be able to visit it without issues.

It's a waste of time to do ICS since since the security should lie elsewhere. A desktop should not be a router or a server.

Setup a pfsense or similar firewall before your modem.
Block ALL inbound and outbound traffic on the firewall , only allow the ports required to the internal ip addresses that need them.
If you want setup a wireguard VPN on the firewall and prevent all traffic from traversing the internet except the VPN connection.

For all machines setup a dietpi VM or any other supported OS and setupi pihole. Set your DHCP server to use the pihole IP.
For modern machines setup safesquid or similar VM to proxy traffic. (80/443/etc)
For modern machines use ublock and noscript extensions at a bare minimum.
For old machines setup webone proxy if you must surf the internet on these machines.

If you want you can go extra paranoid and setup VLANS, another firewall, proxy or dual-nic a machine to seperate networks.

Scythifuge wrote on 2024-01-30, 03:24:

I wonder if am open source internet connection sharing app could be made to allow routing through a "safe," modern OS from a retro box. Maybe it could be similar to how LAN games work, but with full web browsing. Sort of like a hybrid between a LAN connection and using the Win10 box as a "VPN" of sorts. The browser on the Windows XP would click a link, it would then go to the Windows 10 box which would handle it safely, and then send the data to the Windows XP box. I could be wrong, though I believe something like that could be possible.

I miss the old days. I miss using Windows 9x and XP machines for my daily computing and internet surfing. I honestly despise Windows 10 (and will be switching to Linux after this machine,) and I can't stand what has happened to the internet and the world, today. Life was simple and better, back then.

I think what you want is an old-fashioned proxy server running some kind of... something... that tries to catch malware/exploits/etc. You definitely need that filtering layer otherwise the browser exploits and the like will waltz right through. Before NAT became mainstream, that's how people shared Internet connections, I might add, though without the filtering...

Scythifuge wrote on 2024-01-30, 03:36:

There are old sites which I used to visit way back which still exist and still look like they did, back then.

I don't know if I would trust those... there are plenty of sites that appear to have been neglected, still seem to look like they used to, are certainly indexed in google with their old content, etc, but somehow, go to them, look at them funny, and boom, it's crazy scammy pop-up time. And I don't trust all those "your computer is full of viruses - call us at 1-800-SCAMMER to unlock your computer" popups - on a modern, fully-patched web browser they seem largely harmless, but... I wouldn't assume that to be the case on an older OS/browser/etc.

One issue is whether those sites were just manual HTML like people did 20+ years ago, or if they use some kind of CMS. Lots and lots of vulnerabilities in older CMSes, and it wouldn't surprise me if the bad guys used those vulnerabilities to turn some of those half-abandoned zombified old sites into vectors for malware.

DosFreak wrote on 2024-01-30, 03:42:

It's a waste of time to do ICS since since the security should lie elsewhere. A desktop should not be a router or a server. […]
Show full quote

It's a waste of time to do ICS since since the security should lie elsewhere. A desktop should not be a router or a server.

Setup a pfsense or similar firewall before your modem.
Block ALL inbound and outbound traffic on the firewall , only allow the ports required to the internal ip addresses that need them.
If you want setup a wireguard VPN on the firewall and prevent all traffic from traversing the internet except the VPN connection.

For all machines setup a dietpi VM or any other supported OS and setupi pihole. Set your DHCP server to use the pihole IP.
For modern machines setup safesquid or similar VM to proxy traffic. (80/443/etc)
For modern machines use ublock and noscript extensions at a bare minimum.
For old machines setup webone proxy if you must surf the internet on these machines.

If you want you can go extra paranoid and setup VLANS, another firewall, proxy or dual-nic a machine to seperate networks.

I like learning about this stuff, even if I never end up using it. I will look into these things. I do use adblockers and what not. I remember, back in the day, religiously using Spybot to "innoculate" my PC. Hehe, those were the days...

Since the Windows XP source code is floating around, it would be cool if altruistic programmers released new security updates. However, on the flipside of the coin, evil hacker-jerks could use it to more easily attack Windows XP machines...

VivienM wrote on 2024-01-30, 03:47:

Scythifuge wrote on 2024-01-30, 03:36:

There are old sites which I used to visit way back which still exist and still look like they did, back then.

I don't know if I would trust those... there are plenty of sites that appear to have been neglected, still seem to look like they used to, are certainly indexed in google with their old content, etc, but somehow, go to them, look at them funny, and boom, it's crazy scammy pop-up time. And I don't trust all those "your computer is full of viruses - call us at 1-800-SCAMMER to unlock your computer" popups - on a modern, fully-patched web browser they seem largely harmless, but... I wouldn't assume that to be the case on an older OS/browser/etc.

One issue is whether those sites were just manual HTML like people did 20+ years ago, or if they use some kind of CMS. Lots and lots of vulnerabilities in older CMSes, and it wouldn't surprise me if the bad guys used those vulnerabilities to turn some of those half-abandoned zombified old sites into vectors for malware.

Some of these sites proudly advertise how long they have been running, while opting to keep things looking and feeling the way that they always did. I can only hope that they keep up with security issues.

I often enjoy archive.org browsing. There have been times when I downloaded rare files from an archived website. If I can't find an old and rare file, I look to see if it exists on an archived website.

I've got my retro fleet hooked up to the router, I don't even bother with security updates once a OS goes end of life as plenty of known exploits exist that will never now get patched so your still not really protected.
If I had problems I'd probably set more strict rules on the router's firewall but I haven't so just run with the default config.

Only once have I had a problem and that was me been stupid and using a XP PC to find a no-cd crack. so have to agree with

keenmaster486 wrote on 2024-01-30, 03:17:

Lesson here is: you will get "hacked" or get a virus if you are stupid. Just don't be stupid.

I don't really surf the web though as you say that can be painful enough at times with up to date setup. However you do have this proxy which tries to make it somewhat useable on older machines it would also offer another level of protection as it seems to have some adblock functions and possibly breaks any dodgy scripts while "downgrading" websites.
WebOne - proxy for old browsers to make them Web 2.0-capable

I'm not sure about online gaming though as we only ever did LAN games but thought the only way was to use the developers game servers which are all dead now but at least some games have community alternatives (probably require at least XP though) or via a VPN which should be as secure today as it was back then, It's just a lot harder to setup.

I believe the easiest way is to just setup a VLAN and isolate retro machines. Then just use them online, as you said if something goes wrong it's not a big thing. The key here is to not include anything else in this old and insecure LAN.

keenmaster486 wrote on 2024-01-30, 03:17:

Lesson here is: you will get "hacked" or get a virus if you are stupid. Just don't be stupid.

This.

On this note, I trust modern windows computers the same amount I trust retro windows computers. I struggle to see the difference.

I'd expect that by now a sufficiently old system (pre-NT5.0) should be perfectly safe. Viruses for these old systems should be mostly extinct at the same time harmless to modern systems while modern viruses should be incompatible with these old ones.

As for hacking, behind NAT it shouldn't be a serious issue and you can set up a separate VLAN for these old systems without allowing them management access to your routers/switches. If anything happens, it's contained in that retro VLAN.

WIndows ICS is literally a macro, which enables the built-in routing services in Windows, so it becomes a network router, providing network address translation for network connected to a secondary LAN port. The level of vulnerability depends much on how the WIndows machine itself is connected to the Internet. If your computer is logically a server, so it has its own dedicated global IP address, it's exposed to any kind of port openings and requests from the whole Internet, and has to deal with any kind of attacks designed for Windows servers. In most cases, it's better to use a dedicated router as a firewall and not a general use PC at least as long as you're not a professional network administrator with a some unix-based network server having better performance in procesing network packets better that some middle-costed hardware box.

But as long as you are hidden behind network gate or a series of gates, your LAN isn't directly exposed and isn't directly accessible from the Internet, untill a specific ports are forwarded from the global-level router all the way down to the endpoint device, or such a forward is established using uPNP. However, sitting in the same network area with vulnerable machine can put the whole network segment under attack.

If your vulnerable, retro machine is connected to the shared gate, such as home router in the same LAN with other devices (computers, printers, wi-fi clients, smart house, etc), it won't respond to any direct request from the Internet until you forward some game-specific port right to it. However, if the gaming machine opens a connection, and then some hacker takes control over it using exploit in a game/game protocol, whatever, they'll be able to execute a random code on this machine and set up the OS in a way that during boottime it could open a special connection to the host on the Internet, controlled by the hacker and wait for a request to pass the control over itself to the hacker. Then, in theory, the hacker can act from inside and can analyze network settings and try to attack hosts which are in the same LAN as the gaming machine, And this is where the danger is hidden.

In the different scenario, when the gaming retro PC is connected using a PC as a router, e.g. using Internet Connection Sharing on two-port WIndows PC, there will be a different network segment and the scope of visibility for infected gaming machine will be it's own internal network segment and its own internet gate, e.g. the routing Windows-machine, so it will be visible and vulnerable for attacks as well, no matter if it's behind NAT or connected to the WAN directly, but other devices will be invisible for the gaming machine. Of course, you can protect the routing machine from such attacks with a set of firewall rules, preventing the gaming client from opening any ports but absolutely needed for it's direct tasks. In this way attacker will have a lot less chances to attack the routing PC, but still, PC is physically accessible, like if it would be directly exposed to the Internet.

Assigning an individual network segment via VLAN could be a good approach to separate data flow between your main PC and retro-gaming PC with non-confident security.

Example: you're using something like Microtik Routerboard (or actually almost any decent router which isn't the cheapest in the world) with per-port VLAN assignment, and you have some ISP WAN assigned to port 1, your LAN 192.168.0.0/24 assigned to ports 2-7, and another LAN 192.168.3.0/24 assigned to port 8. In this case, your machines will be in different networks, however you'll still be able to exchange data between them via router, using routes tables and firewall tables at Microtik, but you can set it up in a way that only Windows-10 machine can establish, say, FTP connection to the DOS machine, or SMB (edit: no, SMB won't work between masquaraded networks, it's better to use another way of exchanging files. FTP is actually perfect) connection to WIndows-98 machine, but the retro-PC itself will be absolutely unable to initiate a connection and reach your WIndows-10 Machine or any other non-allowed host in your network without direct permission from the router which we trust. So even if something will take full control over the retro machine, it will be technically locked inside a quarantine zone. Of course it could try to take over the router, but as with the routing PC, you have to keep it updated, protected with a strong password and you can simply deny opening any ports associated with shell, web-interface or any other kind of control over router from the retro-segment using INPUT chain in IPTABLES.

All of that isn't supposed to be simple but that is the theoretcally correct way to isolate a weak device from other sensitive devices in a physically shared network using just one firewall/router/smart switch

i'm behind my isp's enterprise nat and then my router's nat. good luck trying to reach anything on my network from the outside. i can't even get in myself (tried to with reverse ssh tunnel, but it was never reliable).

in my lifetime the only piece of kit i've ever had compromised was a macbook pro of all things running the latest mac os. somehow they got vnc access into a disused profile with a semi-weak password and did some money transfers to south america with a throwaway gmail account. deleting the profile was the only step required to remediate--main profile was never compromised.

Working for an ISP, I can say one of the commonest reasons customers' internet service gets suspended is when a system on their LAN gets enrolled on a botnet, and nine times out of ten, that system is running a modern-ish OS that either isn't supported anymore (Windows Vista, 7), or that is but for some reason updates aren't being installed (mainly Windows 10). So certainly with a modern-ish OS, you're running a real risk.

That said, 'don't be stupid' covers a lot of bases. Just being on internet and connecting to game servers for old games and playing them is highly unlikely to cause problems. Trawling dubious websites for illegal software, cracks (or just driver downloads from 'driver helper' sites 😦 ) is totally asking for problems though. If you really have to do that sort of thing, do it on a modern system patched to the hilt, preferably in a sandboxed environment. Also scan content on said system before distributing to the old stuff.

Outside of stupid behaviour, ISP best practice is to block a number of known problematic ports related to NetBIOS/SMB/Windows FIle & Printer sharing, and RPCs. Ports135-137, 139 and 445. That will keep out things like Blaster worms. But it's much better to whitelist rather than blacklist: have the old machines behind a firewall that blocks all incoming traffic by default and preferably also all outgoing traffic except known stuff. Challenge here is that this takes quite a bit of knowledge of said traffic, and more recent badly coded games make that really difficult (I recall a FIFA football game that basically told you to forward 60k ports for it 😦 ). However you should be able to play such modern online games on a modern, fully supported and patched system.

Really old stuff is less at risk - almost all active exploits are either aimed at Linux-based embedded systems or Win32, so DOS and Win3.x are essentially immune, and most Windows stuff these days relies on WinNT system compontents so won't do much on WIn9x either. Not that's I'd recommend being blatantly promiscuous (unless said system is in its own VLAN and you're prepared to pull the plug if something goes wrong), but when I'm running mTCP tools under DOS on a 35-year old machine, I don't take any specific precautions beyond being behind a NAT-router with a deny-all rule for incoming traffic. I highly doubt PING.EXE is going to get me into trouble 😜

TLDR: watch out with WinXP, Vista and 7. Keep newer stuff properly updated. Be generally sensible with Win9x. And don't be stupid.

This is a fun and educational thread. I am learning a lot and taking EVERYTHING into consideration. Thank you all for your posts! I hope that the thread remains alive until all information and bases are covered. I am going to research all of the suggestions that have been posted. I have my DOS/WfW 3.11 486, a Win98 P3 700 Voodoo5 system, a P3 DOS/WfW 3.11/Win95/Win98 Voodoo3 system (I use SD cards for each era with Moslo Deluxe on command.com to emulate slower systems on all but the Win98 card,) and this Athlon XP/S.B. X-Fi/WinXP (and hopefully HyperX ram soon) machine for all of my retro needs. I wonder if I could use a splitter on my cable line and connect the main router and a separate router just for the retro-network.

If I had the throw-away resources, I would commission the creation of an online retro service like the old Prodigy/Compuserve/AOL days with servers replicating the old internet and BBSs with everything patched and protected on the service end, allowing retro PCs to connect without (much) worry. I am into severe preservation of tech and history and my philosophy is the exact opposite of the modern "let the past die; kill it if you have to" toxic philosophy.

Scythifuge wrote on 2024-01-30, 18:07:

I wonder if I could use a splitter on my cable line and connect the main router and a separate router just for the retro-network.

That's getting into networking and TCP/IP stuff, but the way you'd want to do this is to have the "main router" be something fancy shmancy with multiple ports that are on separate networks.

So, basically,
port 1 - WAN (your ISP), with the public IP your ISP assigns
port 2 - 192.168.1.* - your normal network
port 3 - 192.168.2.* - the retro network
and then you can set up whatever routing/firewall rules between the three networks. You could also add another firewall type box in between that port and the retro machines.

This is very easy to do with computer-based routing stuff like PFsense, OPNsense, etc, you just need an extra network card/port to a different switch and/or VLAN tagging to a VLAN-capable switch. Also very easy to do with more serious gear like Ubiquiti, SonicWall, etc. But your standard ISP-supplied integrated "gateway" (which combines an ONT/cable modem/DSL modem, a NAT router/firewall, a small Ethernet switch, and a wifi access point in one box) device can't do that kind of stuff.

And really, this is how a lot of businesses would do, say, a guest wifi. Different subnet, set the firewall to not allow any traffic to/from the internal network, straight NAT out the main Internet connection. Although that might be the exact opposite firewall/routing policy you'd want for your retro network...

Also, I might add, this is where VLANs can be handy, e.g. you could set up a retroNAS VM on a machine, have that VM have a virtual interface on your normal network to connect to your modern NAS, and then a second virtual interface on your retro network. Physically it would just be one Ethernet port/cable out of the VM host, the VLAN-capable switch would handle all of it, just tell it that the ports with the retro machines should be on the retro VLAN